stackoom
  简体   繁体   中英

Glassfish 2.1 CLIENT-CERT how to get Principal

 原文  2011-11-17 09:44:32       java/ ssl/ glassfish/ ssl-certificate

Question

I have a Web application that I want to use with a Client Cert. I have set the following up in my web.xml and I can access my application over https. 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

The handshake works fine. I'm only using the cert as a very course grain security measure. I simply wish to know the principal of the supplied cert, no login as such is required. However, when I try to get the principal from the session it's null.

I have also tried 

X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");

but this is null as well. Does anyone know how I can get the principal from my cert?

Many Thanks Noush

1 answers

solution1
 0  2011-12-21 15:57:02

Are you sure that Glasfish actually requests a client certificate?

I tried to do the same with Tomcat and I found out, that Tomcat only requests a client certificate if you put an auth-constraint in your security-constraint like this: 

<security-constraint>
    ...
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    ...
</security-constraint>

Without an auth-constraint Tomcat does not need to login the user and so no client certificate needs to be requested. The transport-guarantee only forces HTTPS.

But even with this, I had to add the user of the certificate to the container's role management and assign a role to the user, because otherwise the user will not be able to access the URL and gets a HTTP 401 response. So if you just want a client certificate without associating it with a user in the container, it won't work.

In Tomcat you can configure a realm to accept a user without roles when the role-name is * , but you still have to add the user to the authentication realm, which doesn't help if you want to accept all certificates that are trusted and check the certificate principal yourself. Maybe that is possible with Glasfish.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to avoid adding principal in glassfish-web.xml file when using auth-method=CLIENT-CERT? How can I make CLIENT-CERT SSL renegotiation work in Jetty? wildfly 10 custom login module with client-cert auth not executing Setting up client-cert authentication with roles on Tomcat 6.0 Spring-Boot: Specify REALMs (security constraints and roles) and CLIENT-CERT authentication in Java code configuration (not XML)? JBoss5 CLIENT-CERT authentication getting HTTP Status 401 - Cannot authenticate with the provided credentials error Is Tomcat capable of using mixed Authentication on one app (BASIC and CLIENT-CERT)? JBoss7 client-cert authentication: Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat? Kerberos how to get principal or client name?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM